5

I'm trying to do penetration testing of our ASP.NET web-site to check for security loopholes (specifically for SQL injections). We bought a commercial web scanner tool (IBM Rational AppScan), however it only does black box scanning for IIS and fails to detect SQL injections in certain scenarios.

What we're looking for is a similar tool to AppScan, but it should also be able to 'attach' to an IIS process (or SQL Server DB that we're using as a back end) and detect whether or not a certain HTTP request generated an actual SQL injection.

Looks like the latest version of AppScan (8.5) does it but only for Java-based web services. We need something that can work in IIS/SQL Server environment.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Michael Narinsky
  • 151
  • 2
  • I'm not aware of any which currently do this - generally the SQLi validation is manual, through comparing the DB log record with the attack log. You could try migrating this to Security Stack Exchange, though. – Rory Alsop May 04 '12 at 13:49
  • I, too am unaware of something that would attach to an IIS process as you specify. It sounds like you are looking for a web application firewall if you have a complex application. Have you looked at w3af for sqli? – schroeder May 04 '12 at 16:39

2 Answers2

1

I'm not quite sure you're looking for a preventative tool or a detective tool.

A SQLI is basically a method to get an app server to send valid sql queries to the database, right? Pen testing can show you the "how" given the myriad of ways to send queries to be executed by the sql server. If you're looking for a preventative (and sometimes detective) technologies, a web application firewall and database firewall may fit better than a app test tool (rational, core impact, etc). A web application firewall usually comes with signatures for a bunch of vuln including different SQL injection methods but some of the advanced products will fingerprint typical request and response data to make sure a valid request doesn't generate a response that's atypical.

A database firewall picks up where the web app firewall left off and keeps an eye on the actual query and response.

Imperva offers both web and database firewall. Secerno/Oracle offers a database firewall, but I think it's only for Oracle dbs. I'm sure there are other vendors that offer a database firewall.

HackToHell
  • 113
  • 1
  • 7
bangdang
  • 1,824
  • 11
  • 9
  • MS SQL db firewall options are extremely limited. I have only been able to dig up 1 vendor, GreenSQL, for a MS SQL firewall besides Imperva - http://www.greensql.com/solutions/mssql-sql-server-security, but it does not offer the WAF component like Imperva. – August Jun 05 '12 at 15:11
-3

The federal agency where I am on contract uses AppScan for web application reviews and AppDetective for the database side. It supports SQL Server.
I have never run it myself, but have had to respond to reports from audits that have been run.

HackToHell
  • 113
  • 1
  • 7
David E Crawford - PMP
  • 101